Introduction to Privacy, Security and Confidentiality

advertisement
Neehr Perfect EHR Activity – Introduction
to Privacy, Security and Confidentiality
Overview
This activity is intended for the Intermediate and Advanced EHR student user. In this activity you
will be introduced to the basic aspects related to privacy, security and confidentiality for both
the consumer and the healthcare worker.
Student Instructions
Access the EHR and follow the steps outlined in the activity below. Students will need to use
their portfolios (the chart with your name on it) to post their answers. Log into the EHR and go
to the notes sections, select "new note" from the left side panel. In the progress note selection
box, type "Untemplated” select the "Untemplated nurse progress note" Select your faculty as
the co-signer. Type or cut and paste your answers into the note and select save to submit your
work.
Prerequisites
1. Completion of Scavenger Hunts I and II
2. Optional - Scavenger Hunt III Applying Meaningful Use
3. Completion of the Neehr Perfect EHR documentation activity for Health Information
Terminology
Objectives
1. Identify the difference between privacy, confidentiality and security.
2. Understand the details of the HIPPA security rule.
3. Recognize role-based security.
Terminology
Privacy: the right patients have to control who can store, retrieve, and share their
health information.
Confidentiality: the practices a provider employs to protect the patient’s privacy rights,
such as permitting only certain authorized individuals to access a patient’s record.
Security: specific safeguards or controls that are put in place to ensure the
confidentiality of patient data. For example, security would include a technical
safeguard that requires all individuals in the healthcare setting to log into a system using
a unique account using credentials that are not shared with others, thus providing a
mechanism to enforce confidentiality of the information.
1
Neehr Perfect EHR Activity-Introduction to Privacy, Security and Confidentiality v2
Archetype Innovations LLC ©2013
Details of the HIPAA Security Rule in regards to implementing HIT
systems.
The HIPAA Security Rule groups its security standards into three categories—
administrative safeguards, physical safeguards, and technical safeguards.
Administrative safeguards: the administrative functions that should be
implemented to ensure that security standards are met. These standards
include designating responsibility for security management, adoption of policies
and procedures, and privacy and security training for an organization’s staff.
Physical safeguards: the controls put in place to protect electronic systems and
hardware and the data stored there, from threats such as natural disasters and
unauthorized intrusion. These safeguards may include locks on doors, special
rooms, and back-ups to ensure that the data can be retrieved.
Technical safeguards: the automated controls used to protect electronic data
and to control access. Examples include using authentication controls to ensure
the identity of a person accessing a Health IT system containing electronic PHI, as
well as encryption standards for data stored in HIT systems and transferred
between them.
Role-Based Safety & Security Overview
When we think of safety and security in the EHR, we often think first of alerts and pop-ups.
EHRs do indeed use the concept of the alert or pop-up message to notify users of potential risks,
but these types of security are only secondary measures to encourage safe and mindful
healthcare practice. Primary safety measures are built into the very structure of the EHR and
are often invisible to the individual user. Primary safety measures, or “user-based security,” can
help prevent a healthcare professional from potentially dangerous situations or inappropriate
actions and therefore, can help prevent safety alerts and pop-ups from being triggered.
This activity will introduce you to a number of the safety structures built into the EHR and
provide you with hands-on experience with a few of them. Because much of the safety
mechanisms in the EHR are controlled by user class, role and privilege level, you will need to log
into the EHR as different users to be able to see the underlying safety structures at work.
Role-Based Security Elements
User Class:
Classifying an individual user by professional scope of practice; i.e. Nurse, Doctor, Medical
Assistant, etc. Based on the user class determines the user’s privileges, or want they can access
in the EHR.
2
Neehr Perfect EHR Activity-Introduction to Privacy, Security and Confidentiality v2
Archetype Innovations LLC ©2013
Menu Options:
Controls where you go and what you have access to. CPRS is actually a menu option. eMAR is a
menu option. Users can be granted menu options to increase access.
Security Keys:
Controls what a user can and cannot do in any area of the EHR. e.g. CPRS Med Button to order
crash cart meds in the BCMA. In order to have the CPRS Med Button, a user must first be in the
Nurse User Class AND have the BCMA Menu Option, only then can they be granted the CPRS
Med Button Security Key.
Activity
Log in to the Neehr Perfect website at neehrperfect.com.
1. Make note of any security features (or safeguards) you see on the login screen.
_________________________________________________________________
3
Neehr Perfect EHR Activity-Introduction to Privacy, Security and Confidentiality v2
Archetype Innovations LLC ©2013
Select the EHR icon and log in to the EHR. But when you log in to the EHR purposefully
type the wrong username and password.
Note: Your screen may look different than what is shown in the screen shots.
2. What type of error message or pop-up message do you get?
_________________________________________________________________
3. Make note of any security features you see on the login screen.
_________________________________________________________________
4
Neehr Perfect EHR Activity-Introduction to Privacy, Security and Confidentiality v2
Archetype Innovations LLC ©2013
The second time you log in to the EHR use your correct access code and verify code.
4. Suppose this is the first time that you have logged into the system. What
additional safeguards could be put into place to improve the security of the login
function?
________________________________________________________________
5
Neehr Perfect EHR Activity-Introduction to Privacy, Security and Confidentiality v2
Archetype Innovations LLC ©2013
After logging in, begin typing the word “Smith” in the search box.
5. What patients are showing in your list with the last name of “Smith”.
__________________________________________________________________
Using the following one-time credentials you will log in to the EHR as a provider.
Close out of the EHR by clicking on File > Exit.
Back at the EHR icon screen click on the EHR icon
and use these codes:
Access Code: doctor01
Verify Code: password.2
After logging in, begin typing the word “Smith” in the search box, just as you did before.
6. What patients are showing in your list with the last name of “Smith”.
_________________________________________________________________
6
Neehr Perfect EHR Activity-Introduction to Privacy, Security and Confidentiality v2
Archetype Innovations LLC ©2013
7. What would account for the discrepancy in the patient list for each of these
users?
__________________________________________________________________
__________________________________________________________________
Security and Confidentiality
The idle warning will pop up on the screen after 30 minutes of complete inactivity in the
EHR. Once the idle warning appears, you have 45 seconds to press the button and
continue working. After 30 more minutes of complete inactivity, the idle window will
pop up again. A ‘timeout’ ensures that a record can be accessed by others who might
need it if someone has opened the record, but is not using it. On the other hand it also
ensures that if the medical record is left open on a computer and then left, that it will
automatically close after a specified amount of time to ensure confidentiality.
8. Describe a situation where the CPRS Timeout may appear?
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
9. Explain why this automatic ‘timeout’ feature is important in regards to security
and confidentiality of a patient personal medical record?
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
7
Neehr Perfect EHR Activity-Introduction to Privacy, Security and Confidentiality v2
Archetype Innovations LLC ©2013
References
The Nationwide Privacy and Security Framework for Electronic Exchange of Individually
Identifiable Health Information. c2008. Available from:
http://healthit.hhs.gov/portal/server.pt/gateway/PTARGS_0_10731_848088_0_0_18/N
ationwidePS_Framework-5.pdf
Adapted from and modified for use with Neehr Perfect EHR:
Health IT Workforce Curriculum
Working with Health IT Systems Version 3.0/Spring 2012
Protecting Privacy, Security, and Confidentiality in HIT Systems
This material was developed by Johns Hopkins University, funded by the Department of Health
and Human Services, Office of the National Coordinator for Health Information Technology under
Award Number IU24OC000013.
8
Neehr Perfect EHR Activity-Introduction to Privacy, Security and Confidentiality v2
Archetype Innovations LLC ©2013
Download